formbook | b5bcdc51fdaabc11a62e8401493b5fa24b6f4a350d597cc58a04cfc0dedefbfc

General

Target

New Order.docx
Size

10KB
MD5

37440402e2f3bed12f391338cbd4fc12
SHA1

f28f9be236b1593f2f7da3ceb4b0478c96c7b0d0
SHA256

b5bcdc51fdaabc11a62e8401493b5fa24b6f4a350d597cc58a04cfc0dedefbfc
SHA512

468e045dcec4558ed25e25f0dae0fb99be55e300994ffc698e2cb6dfc0812c89d3a13a69e0fe0166d4f0a50891bcb1f65526122e8ae52b67056c937e25c7fa5a

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.bookkeeping32.com/p6ai/

Decoy

ocfoundation.info

fullhouse01.com

a-great-lexus-rx.fyi

googlepayperclick.com

coachmyragolden.com

luxclothing.club

medicationbuddy.com

miraclepawsfoundation.com

datingforcez.online

wasteharvester.com

solslides.com

hotel-ritterhof.com

tianjinsf.com

receiveyourcashnow.com

the-vma.com

godrejroyalewoodsbangalore.com

erickrokanphotography.com

vasinvestments.com

janlago.com

2nocent.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2020-79-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/2020-80-0x000000000041EB10-mapping.dmp	formbook
behavioral1/memory/1592-92-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

13 596 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

928 vbc.exe
2020 vbc.exe

flow	pid	process
13	596	EQNEDT32.EXE

pid	process
928	vbc.exe
2020	vbc.exe

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Office\Common\Offline\Files\https://hyp.ae/pGGoM	WINWORD.EXE

Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

596 EQNEDT32.EXE
596 EQNEDT32.EXE
596 EQNEDT32.EXE
596 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
596	EQNEDT32.EXE
596	EQNEDT32.EXE
596	EQNEDT32.EXE
596	EQNEDT32.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

vbc.exevbc.exeexplorer.exe

description	pid	process	target process
PID 928 set thread context of 2020	928	vbc.exe	vbc.exe
PID 2020 set thread context of 1292	2020	vbc.exe	Explorer.EXE
PID 2020 set thread context of 1292	2020	vbc.exe	Explorer.EXE
PID 1592 set thread context of 1292	1592	explorer.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

596 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
596	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1116 WINWORD.EXE

pid	process
1116	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

vbc.exeexplorer.exe

pid	process
2020	vbc.exe
2020	vbc.exe
2020	vbc.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe
1592	explorer.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

vbc.exeexplorer.exe

pid process

2020 vbc.exe
2020 vbc.exe
2020 vbc.exe
2020 vbc.exe
1592 explorer.exe
1592 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 2020 vbc.exe
Token: SeDebugPrivilege 1592 explorer.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1116 WINWORD.EXE
1116 WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	2020	vbc.exe
Token: SeDebugPrivilege	1592	explorer.exe

pid	process
1116	WINWORD.EXE
1116	WINWORD.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 596 wrote to memory of 928	596	EQNEDT32.EXE	vbc.exe
PID 596 wrote to memory of 928	596	EQNEDT32.EXE	vbc.exe
PID 596 wrote to memory of 928	596	EQNEDT32.EXE	vbc.exe
PID 596 wrote to memory of 928	596	EQNEDT32.EXE	vbc.exe
PID 1116 wrote to memory of 1520	1116	WINWORD.EXE	splwow64.exe
PID 1116 wrote to memory of 1520	1116	WINWORD.EXE	splwow64.exe
PID 1116 wrote to memory of 1520	1116	WINWORD.EXE	splwow64.exe
PID 1116 wrote to memory of 1520	1116	WINWORD.EXE	splwow64.exe
PID 928 wrote to memory of 2020	928	vbc.exe	vbc.exe
PID 928 wrote to memory of 2020	928	vbc.exe	vbc.exe
PID 928 wrote to memory of 2020	928	vbc.exe	vbc.exe
PID 928 wrote to memory of 2020	928	vbc.exe	vbc.exe
PID 928 wrote to memory of 2020	928	vbc.exe	vbc.exe
PID 928 wrote to memory of 2020	928	vbc.exe	vbc.exe
PID 928 wrote to memory of 2020	928	vbc.exe	vbc.exe
PID 1292 wrote to memory of 1592	1292	Explorer.EXE	explorer.exe
PID 1292 wrote to memory of 1592	1292	Explorer.EXE	explorer.exe
PID 1292 wrote to memory of 1592	1292	Explorer.EXE	explorer.exe
PID 1292 wrote to memory of 1592	1292	Explorer.EXE	explorer.exe
PID 1592 wrote to memory of 908	1592	explorer.exe	cmd.exe
PID 1592 wrote to memory of 908	1592	explorer.exe	cmd.exe
PID 1592 wrote to memory of 908	1592	explorer.exe	cmd.exe
PID 1592 wrote to memory of 908	1592	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\New Order.docx"
2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1520

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Public\vbc.exe"
3⤵
PID:908

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:596

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
2dfc510fcb8520b77eb106532c34d50d

SHA1
dad10972c6b92fd4d8f68b66aa028b3b081a2e2f

SHA256
27040911c356e4c61ddb89d1eb6d828e6713aafdb0aa4de56b9a6d3fac54274a

SHA512
00ec515a7295131378fc321814dfebcc74d4957437ed11bdab359704fd3f833f5d90cdd5eb1b0b59c078ec765569dd61d99a372851ff46d085e5d96b279936a1

Download Submit
C:\Users\Public\vbc.exe
MD5
2dfc510fcb8520b77eb106532c34d50d

SHA1
dad10972c6b92fd4d8f68b66aa028b3b081a2e2f

SHA256
27040911c356e4c61ddb89d1eb6d828e6713aafdb0aa4de56b9a6d3fac54274a

SHA512
00ec515a7295131378fc321814dfebcc74d4957437ed11bdab359704fd3f833f5d90cdd5eb1b0b59c078ec765569dd61d99a372851ff46d085e5d96b279936a1

Download Submit
C:\Users\Public\vbc.exe
MD5
2dfc510fcb8520b77eb106532c34d50d

SHA1
dad10972c6b92fd4d8f68b66aa028b3b081a2e2f

SHA256
27040911c356e4c61ddb89d1eb6d828e6713aafdb0aa4de56b9a6d3fac54274a

SHA512
00ec515a7295131378fc321814dfebcc74d4957437ed11bdab359704fd3f833f5d90cdd5eb1b0b59c078ec765569dd61d99a372851ff46d085e5d96b279936a1

Download Submit
\Users\Public\vbc.exe
MD5
2dfc510fcb8520b77eb106532c34d50d

SHA1
dad10972c6b92fd4d8f68b66aa028b3b081a2e2f

SHA256
27040911c356e4c61ddb89d1eb6d828e6713aafdb0aa4de56b9a6d3fac54274a

SHA512
00ec515a7295131378fc321814dfebcc74d4957437ed11bdab359704fd3f833f5d90cdd5eb1b0b59c078ec765569dd61d99a372851ff46d085e5d96b279936a1

Download Submit
\Users\Public\vbc.exe
MD5
2dfc510fcb8520b77eb106532c34d50d

SHA1
dad10972c6b92fd4d8f68b66aa028b3b081a2e2f

SHA256
27040911c356e4c61ddb89d1eb6d828e6713aafdb0aa4de56b9a6d3fac54274a

SHA512
00ec515a7295131378fc321814dfebcc74d4957437ed11bdab359704fd3f833f5d90cdd5eb1b0b59c078ec765569dd61d99a372851ff46d085e5d96b279936a1

Download Submit
\Users\Public\vbc.exe
MD5
2dfc510fcb8520b77eb106532c34d50d

SHA1
dad10972c6b92fd4d8f68b66aa028b3b081a2e2f

SHA256
27040911c356e4c61ddb89d1eb6d828e6713aafdb0aa4de56b9a6d3fac54274a

SHA512
00ec515a7295131378fc321814dfebcc74d4957437ed11bdab359704fd3f833f5d90cdd5eb1b0b59c078ec765569dd61d99a372851ff46d085e5d96b279936a1

Download Submit
\Users\Public\vbc.exe
MD5
2dfc510fcb8520b77eb106532c34d50d

SHA1
dad10972c6b92fd4d8f68b66aa028b3b081a2e2f

SHA256
27040911c356e4c61ddb89d1eb6d828e6713aafdb0aa4de56b9a6d3fac54274a

SHA512
00ec515a7295131378fc321814dfebcc74d4957437ed11bdab359704fd3f833f5d90cdd5eb1b0b59c078ec765569dd61d99a372851ff46d085e5d96b279936a1

Download Submit
memory/908-90-0x0000000000000000-mapping.dmp

Download
memory/928-77-0x0000000007F80000-0x0000000007FFA000-memory.dmp

Filesize
488KB

Download
memory/928-75-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/928-68-0x0000000000000000-mapping.dmp

Download
memory/928-71-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/928-78-0x0000000000AB0000-0x0000000000AE5000-memory.dmp

Filesize
212KB

Download
memory/928-76-0x0000000000390000-0x00000000003AB000-memory.dmp

Filesize
108KB

Download
memory/1116-60-0x0000000070881000-0x0000000070883000-memory.dmp

Filesize
8KB

Download
memory/1116-59-0x0000000072E01000-0x0000000072E04000-memory.dmp

Filesize
12KB

Download
memory/1116-62-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1116-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1292-84-0x0000000006CA0000-0x0000000006DC9000-memory.dmp

Filesize
1.2MB

Download
memory/1292-86-0x0000000007300000-0x0000000007452000-memory.dmp

Filesize
1.3MB

Download
memory/1520-74-0x000007FEFC301000-0x000007FEFC303000-memory.dmp

Filesize
8KB

Download
memory/1520-73-0x0000000000000000-mapping.dmp

Download
memory/1592-89-0x000000006B121000-0x000000006B123000-memory.dmp

Filesize
8KB

Download
memory/1592-87-0x0000000000000000-mapping.dmp

Download
memory/1592-92-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1592-91-0x0000000000A40000-0x0000000000CC1000-memory.dmp

Filesize
2.5MB

Download
memory/1592-93-0x0000000002470000-0x0000000002773000-memory.dmp

Filesize
3.0MB

Download
memory/1592-94-0x00000000022E0000-0x0000000002373000-memory.dmp

Filesize
588KB

Download
memory/2020-83-0x0000000000190000-0x00000000001A4000-memory.dmp

Filesize
80KB

Download
memory/2020-82-0x0000000000980000-0x0000000000C83000-memory.dmp

Filesize
3.0MB

Download
memory/2020-85-0x00000000001E0000-0x00000000001F4000-memory.dmp

Filesize
80KB

Download
memory/2020-80-0x000000000041EB10-mapping.dmp

Download
memory/2020-79-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads